[dns-operations] Denying Whois DB by GeoIP

Keith Mitchell keith at dns-oarc.net
Sat Jun 10 09:13:40 UTC 2017

On 06/10/17 00:38, Jothan Frakes wrote:
> I get spam and also telemarketers and robo calls to email addresses
> and telephone numbers created anew for whois contact on a
> registration within 24 hours of a domain registration.

This is consistent with my anecdotal experience too.

> I really cannot trust or agree with any assertion that whois
> information is not the origin, directly or via intermediary, in the
> presence of such empirical proof to the contrary.

Rate-shaping of incoming WHOIS queries by registries is AIUI
commonplace, both as a blacklist abuse prevention measure, and also to
whitelist (opt-in) higher qualities of service/access to e.g
members/registrars of these registries, or bona-fide researchers.

On 06/08/17 20:55, John Levine wrote:
> No, but there is also nothing that says that ccTLDs have to provide 
> any WHOIS service at all.

I've also heard of smaller registries, for whom rate-shaped WHOIS
protection is simply too much operational effort, and who will just shut
the service down completely for the duration of any major attack.

Note that the abusive WHOIS traffic does not just come from spammers
harvesting POC e-mail addresses, it can for example come from some of
the shadier corners of the secondary DNS market (speculation,
drop-catching), or bad folks playing fast-flux games.

Having said that, I've not seen any recent or long time-baseline data
for this, it would be interesting to know if the prevalence of abusive
WHOIS traffic has changed over time.


> In article <20170610023033.GC16459 at clanspum.net 
> <mailto:20170610023033.GC16459 at clanspum.net>> you write:
>> I pretty strongly disagree with this. I get _tons_ of spam to the
>> email address I only use for domain registrations.
> I get practically none to the address I use only on DNS
> registrations. These days there are so many spam address lists
> floating around that it's not worth their effort to futz with whois.
> It looks like you've been using the same contact address for a long 
> time.  Spammers did scrape whois addresses 15 or 20 years ago, but 
> that was then.

More information about the dns-operations mailing list